I found a bug in some upload logic that gives anyone read/write access to the filesystem. Raised the alarm, was told that it doesn't matter, that the logic should be that flexible.

So I was going through my morning bugfix routine when I stumbled across some truly idiotic logic in a custom file upload control (ASP.NET). Basically, the user of said file upload can specify where his/her file should be saved. There is no verification that the path is inside the webroot, or that the file that is uploaded is one that should be allowed, or any of the other handful checks that should go into file upload logic. Nothing.

I fixed the control, and wrote up a detailed explanation and analysis. Then I elevated the issue to my boss, who elevated to his boss. They huddled, and when the huddle broke, they decided it wasn't an issue, and that the guy who built the control with this broken logic should be commended for its flexibility.

Turns out all this time I've been misunderstanding "flexibility". What it actually means is "let everyone do anything they want, anytime".

Edit: Yeah yeah permissions, but I can't make that change. I can only do what I can to stop this from happening, and then raise the alarm so that the right people know and can implement the correct fix.

If you then read further down into the comments, you'll discover that the original author of this post apparently works at INITECH.

Didn't he get that memo on TPS report cover sheets?

I was going to rant about the security implications of this out-of-control aspx madness, but I think the risk associated with letting anyone upload and execute anything they want to your webserver is, well, obvious.

Related White Papers

6 Comments

These are the sorts of classic cases where technology is being built and consumed before anyone starts thinking about security (because that takes time and knowledge) or going slow enough to allow the people who have security minds to ramp up and be able to understand these things and make suggestions/requirements.

Or...some monkey was just stupid.

It's been my observation professionally that unless there is someone catching these things and raising their voice, they happen constantly. It's about tossing the bowling ball down the lane and just ignoring that there may be gutters there.

From the Initech home page .... The principals of the company believe in employing skilled consultants who concentrate first on hearing your concerns related to a particular business or technology issue. The consultant then ensures these concerns are addressed with you in a straight-forward, non-technical manner before any work commences ..... I guess 'Ignore it' is about as non-technical as you can get

Bit of a link problem Chief - "INITECH" link is "http://it.toolbox.com/blogs/securitymonkey/href=" which goes nowhere :? Guessing it is "http://www.initechgroup.com/index.htm" which is one of the worst web sites I've seen for a long time! LOL

Completely agreed... I know a ont-man shop that made a site much better than that... Those images are ridiculously sized!
(Even I could have made a better job, and I'm very lousy when it comes to web design).

Nothing really amazes me anymore when it comes to this sort of thing. It is symptomatic of not having a proper set of secure coding guidelines that defines what a coder can and cannot do. In this case he was probably not breaking any documented rules, it was meeting a business requirement - so why not!

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.

Interested in information security? Like a good mystery? Addicted to shows like CSI? Want to see real-life challenges posed to ...
more

Interested in information security? Like a good mystery? Addicted to shows like CSI? Want to see real-life challenges posed to an investigator with over 18 years of experience? You'll find the entire casefile library here for your reading pleasure. Not only are the educational and entertaining, but highly addictive. You've been warned!
less

Receive the latest blog posts:

Share Your Perspective

Share your professional knowledge and experience with peers. Start a blog on Toolbox for IT today!